高级加密标准(AES)

单击此处编辑母版标题样式,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,*,第,5,章 高级加密标准,(,AES),AES,的起源,AES,的设计原则,AES,算法描述,1.AES,的起源,1997,年,9,月，,NIST,征集,AES,方案，以替代,DES,。,1999,年,8,月，以下,5,个方案成为最终候选方案：,MARS,RC6,Rijndael,Serpent,Twofish,。,2000,年,10,月，由比利时的,Joan,Daemen,和,Vincent,Rijmen,提出的算法最终胜出。（,Rijndael,读成,Rain Doll,。）,http:/www.,esat,.,kuleuven,.ac.be/,rijmen,/,rijndael,/,2.AES,的设计原则,能抵抗所有已知的攻击；,在各种平台上易于实现，速度快；,设计简单。,Rijndael,是一个分组密码算法，其分组长度和密钥长度相互独立，都可以改变。,分组长度（,bit,）,128,192,256,密钥长度（,bit,）,128,192,256,表,1.,分组长度和密钥长度的不同取值,3.,AES,算法的一般描述,Rijndael,Round,的构成,ByteSubstitution,ByteRotation,MixColumn,+,Round,Key,一般的轮变换,ByteSubstitution,ByteRotation,+,Round,Key,最后一轮的轮变换,3.,AES,算法加密部分的实现,明文分组和密钥的组织排列方式,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15,Fig 1.,以明文分组为,128bits,为例组成的阵列,0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15,0,4,8,12,16,20,1,5,9,13,17,21,2,6,10,14,18,22,3,7,11,15,19,23,0,4,8,12,16,20,24,28,1,5,9,13,17,21,25,29,2,6,10,14,18,22,26,30,3,7,11,15,19,23,27,31,Fig 2.,以明文分组（或密钥）为,128bits,、,192bits,、,256bits,为例组成的阵列,一些相关的的术语定义和表示,状态（,State,）：,密码运算的中间结果称为状态。,State,的表示：状态用以字节为基本构成元素的矩阵阵列来表示，该阵列有,4,行，列数记为,Nb,。,Nb,=,分组长度（,bits,）,32,Nb,可以取的值为,4,，,6,，,8,，对应的分组长度为,128,，,192,，,256 bits,。,密码密钥（,Cipher Key,）,的表示：,Cipher Key,类似地用一个,4,行的矩阵阵列来表示，列数记为,Nk,。,Nk,=,密钥长度（,bits,）,32,Nk,可以取的值为,4,，,6,，,8,，对应的密钥长度为,128,，,192,，,256 bits,。,Fig 3.,当,Nb,=6,时的状态和,Nk,=4,时的密钥布局,a,0,0,a,0,1,a,0,2,a,0,3,a,0,4,a,0,5,a,1,0,a,1,1,a,1,2,a,1,3,a,1,4,a,1,5,a,2,0,a,2,1,a,2,2,a,2,3,a,2,4,a,2,5,a,3,0,a,3,1,a,3,2,a,3,3,a,3,4,a,3,5,Nb,=6,Block Length=192 bits,K,0,0,K,0,1,K,0,2,K,0,3,K,1,0,K,1,1,K,1,2,K,1,3,K,2,0,K,2,1,K,2,2,K,2,3,K,3,0,K,3,1,K,3,2,K,3,3,Nk,=4,Key Length=128 bits,Fig 4.,分组长度和密钥长度均为,128 bits,时的,Rijndael,加密算法框图,Data/Key,Addition,Rnd,0,Rnd,1,Rnd,8,Final,Rnd,Key,Schedule,Cipher,Text,Key,Plain,Text,表,2.,轮数（,Round,）,的不同取值,轮数（,Round,）,Block Length=128,Block Length=192,Block Length=256,Key Length=128,10,12,14,Key Length=192,12,12,14,Key Length=256,14,14,14,用伪代码表示的,Rijndael,轮变换,一般的轮变换,Round(State,RoundKey,),ByteSubstitution,;,ByteRotation,;,MixColumn,;,AddRounKey,;,结尾轮变换,FinalRound,(State,RoundKey,),ByteSubstituion,;,ByteRotation,;,AddRoundKey,;,ByteSubstitution,(,字节替代,),ByteSubstitution,是一个非线性的字节替代，独立地在每个状态字节上进行运算。它包括两个变换。,1.,在有限域,GF(,2,8),上求乘法逆，,00,映射到它自身。,2.,在,GF(2),上进行下面的仿射变换：,y,0,1,1 1,1,1,0 0 0,x,0,0,y,1,0,1 1,1,1,1 0 0,x,1,1,y,2,0 0 1,1,1,1 1 0,x,2,1,y,3,0 0 0,1,1,1 1 1,x,3,0,y,4,1,0 0,0,1,1 1 1,x,4,0,y,5,1,1 0,0,0,1 1 1,x,5,0,y,6,1,1 1,0,0,0 1 1,x,6,1,y,7,1,1 1,1,0,0 0 1,x,7,1,Fig 6.,ByteSubstitution,该变换可以用一个,256,字节的表来实现,B,0,0,B,0,1,B,0,2,B,0,3,B,1,0,B,1,1,B,1,2,B,1,3,B,2,0,B,2,1,B,2,2,B,2,3,B,3,0,B,3,1,B,3,2,B,3,3,A,0,0,A,0,1,A,0,2,A,0,3,A,1,0,A,1,1,A,1,2,A,1,3,A,2,0,A,2,1,A,2,2,A,2,3,A,3,0,A,3,1,A,3,2,A,3,3,取逆,仿射变换,ByteRotation,(,字节移位,),在,ByteRotation,变换中，状态阵列的后,3,行循环移位不同的偏移量。第,1,行循环移位,C1,字节，第,2,行循环移位,C2,字节，第,3,行循环移位,C3,字节。,偏移量,C1,、,C2,、,C3,与分组长度,Nb,有关，如下表所示：,Nb,C1,C2,C3,4,1,2,3,6,1,2,3,8,1,3,4,Fig 7.,ByteRotation,0,4,8,12,1,5,9,13,2,6,10,14,3,7,11,15,0,4,8,12,5,9,13,1,10,14,2,6,15,3,7,11,循环左移,1,字节,循环左移,2,字节,循环左移,3,字节,MixColumn,(,列混合,),将状态的列看作是有限域,GF(,2,8),上的多项式,a(x),，,与多项式,c(x)=03,x,3+01,x,2+01,x,+02,相乘,(,模,x,4,1,),。,令,b(x)=c(x)a(x),，,写成矩阵形式为：,b,0,02 03 01 01,a,0,b,1 =,01,02 03 01,a,1,b,2,01 01,02 03,a,2,b,3,03 01 01 02,a,3,Fig 8.,MixColumn,这一运算作用在每一列上,A,0,0,A,0,1,A,0,2,A,0,3,A,1,0,A,1,1,A,1,2,A,1,3,A,2,0,A,2,1,A,2,2,A,2,3,A,3,0,A,3,1,A,3,2,A,3,3,B,0,0,B,0,1,B,0,2,B,0,3,B,1,0,B,1,1,B,1,2,B,1,3,B,2,0,B,2,1,B,2,2,B,2,3,B,3,0,B,3,1,B,3,2,B,3,3,C(X),2.4,AddRoundKey,(,轮密钥加,),将轮密钥与状态按比特异或。轮密钥是通过,Key Schedule,过程从密码密钥中得到的，轮密钥长度等于分组长度。,A,0,0,A,0,1,A,0,2,A,0,3,A,1,0,A,1,1,A,1,2,A,1,3,A,2,0,A,2,1,A,2,2,A,2,3,A,3,0,A,3,1,A,3,2,A,3,3,K,0,0,K,0,1,K,0,2,K,0,3,K,1,0,K,1,1,K,1,2,K,1,3,K,2,0,K,2,1,K,2,2,K,2,3,K,3,0,K,3,1,K,3,2,K,3,3,B,0,0,B,0,1,B,0,2,B,0,3,B,1,0,B,1,1,B,1,2,B,1,3,B,2,0,B,2,1,B,2,2,B,2,3,B,3,0,B,3,1,B,3,2,B,3,3,A,3,3,K,3,3,B,3,3,(mod 2),Fig 7.,Rijndael,加密及解密的标准结构,Block,Key Length=128 bits,Plaintext(128 bits),ByteSubstitution,MixColumn,Ciphertext(128 bits),K,0,Ki,i=10,ByteRotation,for i=1 to 10,Ciphertext(128 bits),K,10,InvMixCoumn,InvByteRotation,InvByteSubstitution,K,i,Plaintext(128 bits),i=9,for i=9 to 0,加密,解密,用伪代码表示的,Rijndael,加密算法,Rijndael,(State,CipherKey,),KeyExpansion,(,CipherKey,ExpandedKey,);,AddRoundKey,(State,ExpandedKey,);,For(i=1;i,Rnd,;i+),Round(State,ExpandedKey,+,Nb,*i);,FinalRound,(State,ExpandedKey,+,Nb,*,Rnd,);,提前进行密钥扩展后的,Rijndael,加密算法描述,Rijndael,(State,ExpandedKey,),AddRoundKey,(State,ExpandedKey,);,For(i=1;i,Rnd,;i+),Round(State,ExpandedKey,+,Nb,*i);,FinalRound,(State,ExpandedKey,+,Nb,*,Rnd,);,AES,的密钥调度,密钥调度包括两个部分：密钥扩展和轮密钥选取。,密钥,bit,的总数分组长度,（轮数,Round,1,）,例如当分组长度为,128bits,和轮数,Round,为,10,时，轮密钥长度为,128(10,1),1408bits,。,将密码密钥扩展成一个扩展密钥。,从扩展密钥中取出轮密钥：第一个轮密钥由扩展密钥的第一个,Nb,个,4,字节字，第二个圈密钥由接下来的,Nb,个,4,字节字组成，以此类推。,密钥扩展,K,0,0,K,0,1,K,0,2,K,0,3,K,1,0,K,1,1,K,1,2,K,1,3,K,2,0,K,2,1,K,2,2,K,2,3,K,3,0,K,3,1,K,3,2,K,3,3,K,0,K,1,K,2,K,3,K,0,K,1,K,2,K,3,K,4,K,5,K,6,K,7,+,+,+,K,0,K,1,K,2,K,3,K,4,K,5,K,6,K,7,Byte,Substitution,ByteRotate,+,Rcon,W,i-4,W